best way to audit in vfs
Serge E. Hallyn
serue at us.ibm.com
Tue Dec 14 21:42:11 UTC 2004
Quoting Stephen Smalley (sds at epoch.ncsc.mil):
> On Tue, 2004-12-14 at 16:24, Serge E. Hallyn wrote:
> > Actually that's the problem - the hook functions only determine whether
> > the action is potentially auditable. It might only be auditable when
> > accessed by a certain user. Or, there might be a single user for whom
> > we want to audit every access. But that doesn't mean we want every access
> > by every user causing a partial audit record to be emitted.
>
> Yes, but why can't you make the full determination in your hook
> function? At the point of the hook function, you know:
> - the current process information,
> - the object information,
> - the call site.
Good point.
> It is possible that you have some complex audit configuration in mind
> that requires tying together information from multiple hooks in order to
> determine whether or not to audit the operation, but I'm not sure
> whether that is necessary.
No, I think we all agree that anything much more complicated should be done
in userspace. The only real reason to care about doing some in kernel space,
I think, is to minimize wasted kernel->auditd traffic.
-serge
More information about the Linux-audit
mailing list